Rule S6957 crashes on pnpm catalog: version specifiers - TypeError: Invalid comparator: catalog:

Category: Bug

Body:

Environment

• SonarQube Server: 26.3.0
• SonarScanner: 4.3.5
• Node.js: 24.12.0
• Package manager: pnpm 10.19 with workspace catalogs

Description

Rule sonarjs/S6957 crashes during analysis when any package.json in the project uses pnpm’s
Catalogs | pnpm for version specifiers. The crash halts the entire JS/TS analysis.

Reproducer

A package.json with catalog specifiers:
{
“dependencies”: {
“next”: “catalog:”,
“react”: “catalog:”,
“react-dom”: “catalog:”
}
}

The actual versions are defined in pnpm-workspace.yaml:
catalogs:
default:
next: ^16.0.0
react: ^19.0.0
react-dom: ^19.0.0

Error log
[ERROR] ScannerEngine: TypeError: Error while loading rule ‘sonarjs/S6957’: Invalid comparator:
catalog:
[ERROR] ScannerEngine: Occurred while linting /path/to/create-i18n-settings.ts
[ERROR] ScannerEngine: at e.parse (…/bridge-bundle/package/bin/server.cjs:722:52732)
[ERROR] ScannerEngine: at new e (…/bridge-bundle/package/bin/server.cjs:722:52525)
[ERROR] ScannerEngine: at …/bridge-bundle/package/bin/server.cjs:722:48601

The scanner’s semver parser attempts to parse the literal string catalog: as a semver range, which
fails. This causes the full JS/TS analysis to abort.

Expected behavior

S6957 should either resolve catalog: specifiers via pnpm-workspace.yaml, or gracefully skip
dependencies it cannot parse.

Hi @Zac_Clifton, welcome to the community!

Thank you for the report. This is indeed a bug in the analyzer: S6957 can crash when React dependencies use pnpm catalog: version specifiers instead of a semver range.

This is already tracked in this ticket. The fix is completed and will be included in the next version of SonarQube Community Build 26.4.0.

Sorry for the trouble, and thanks for helping us improve the tool.